Académique Documents
Professionnel Documents
Culture Documents
handbook
overview
Youve hardened your servers, locked down your website and are ready to take on the
internet. But all your hard work was in vain, because someone fell for a phishing email
and wired money to a scammer, while another user inadvertently downloaded and
installed malware from an email link that opened a backdoor into the network. Email is as
important as the website when it comes to security. As a channel for social engineering,
malware delivery and resource exploitation, a combination of best practices and user
education should be enacted to reduce the risk of an email-related compromise. By
following this 13 step checklist, you can make your email configuration resilient to the
most common attacks and make sure it stays that way.
@UpGuard | UpGuard.com
handbook
1. Enable SPF
How do you know if an email is really from who it says its from? There are a couple of
ways to answer this question, and Sender Policy Framework (SPF) is one. SPF works
by publishing a DNS record of which servers are allowed to send email from a specific
domain.
1. An SPF enabled email server receives an email from somebody@example.com
2. The email server looks up example.com and reads the SPF TXT record in DNS.
3. If the originating server of the email matches one of the allowed servers in the SPF
record, the message is accepted.
SPF should be enabled on all edge email systems to ensure that both emails coming
into your organization can be checked for SPF and that emails coming from your
organization cant be impersonated by someone using an email server not listed in the
SPF record. Failure to use SPF means your emails cant be checked for an authentic
origination server and are therefore far less trustworthy than those that can.
2. Enable DKIM
Unlike SPF, which applies on a per-domain basis, DomainKeys Identified Mail (DKIM)
adds an encrypted signature on every message that can be validated by a remote
server against a DNS TXT record.
Essentially, organizations claim responsibility for email messages with their DKIM
signature. Because signatures are encrypted, they are very difficult to forge; therefore
an organizations reputation is on the line for messages sent out under their DKIM
signature. DKIM signatures will be ignored by mail servers that do not support it, so
theres no worrying about whether all your recipients are DKIM compatible. Failure
to use DKIM reduces the integrity of your email and increases the likelihood of your
domain being blacklisted.
3. Enable dmarc
The Domain-based Message Authentication, Reporting and Conformance (DMARC)
protocol builds on SPF and DKIM to handle verification of sender domains. DMARC also
provides reporting to give organizations visibility into their email policy. Additionally,
DMARC specifies what to do with a message if the SPF and DKIM authentication
mechanisms fail. The combination of SPF, DKIM and DMARC creates a trustworthy email
environment. All three rely on DNS TXT records to work, so be sure to see step 11 on
securing DNS. Failure to use DMARC means that SPF and DKIM policies will be different
depending on where the message is sent. DMARC standardizes that by including
instructions within the email itself.
@UpGuard | UpGuard.com
handbook
Subscribe to a DNS blackhole list. This will block most of the spam right at the
edge.
Enable rate control to prevent remote senders from overwhelming the server.
Enable content analysis to heuristically block or quarantine probable spam.
Block senders who fail reverse DNS lookups.
Filter dangerous attachments. (See step 8 of this guide.)
There are other ways to protect against spam, but configuring these 5 on a dedicated
spam filter should clean up your mail delivery and have a minimal number of false
positives. Failure to set up a spam filter will mean most of the email your organization
processes is garbage and peoples inboxes will be near impossible to use.
5. Disable Relaying
Relaying is the process of connecting to an email server and sending mail through that
server to a third party. Heres an example of how this can go terribly wrong:
1.
@UpGuard | UpGuard.com
handbook
Using a remailer service (mail goes from your users, to the third party internet
remailer, then back to your organization)
2. Cloud services set to send as domain users
3. Web application forms that trigger emails sent from an internet web server
with a domain email address
Depending on your mail system, you may be able to allow email from specific hosts
while still blocking it from the internet at large. Failure to do this can result in phishing
emails sent to your users that seem to come from your email domain, which can easily
trick someone into giving away their password or other important information.
@UpGuard | UpGuard.com
handbook
Create a log retention policy. This will be the period of time that you can be
reasonably expected to go back and have log data. This should suit your
business needs, as well as meet any legal requirements for your industry.
Failure to have this policy can cause chaos within an organization in the event
of a disaster. Business expectations should be realistic and well documented.
2. Make sure you have enough disk space for your logs. Systems administration
101, right? Yet many production servers are built to a spec that only accounts for
the application resources and doesnt factor in tertiary needs such as logging,
backup or monitoring. You need enough space to support the companys
retention policy.
3. Consider using log visualization tools that can efficiently summarize the huge
amounts of data into a dashboard or other convenient format. But even if you
do use one, be sure you know how to read the raw logs as well, its better not
to learn in an emergency.
Every piece of your mail environment (spam filters, edge servers, database servers,
mtas) will likely have logs, so be sure to know what information is where and how to
access it. Exchange has its own set of logs that should be monitored and troubleshot if
necessary.
@UpGuard | UpGuard.com
handbook
@UpGuard | UpGuard.com
handbook
@UpGuard | UpGuard.com
handbook
conclusion
Email security is a broad topic, but by following these 13 steps, you can be reasonably
sure you have protected yourself against the most common attacks. Reputation is
tied to email, so taking steps to ensure only authorized communications come from
your companys domain protects more than just their digital assets. As a medium of
social engineering, taking steps to educate people on phishing scams and other
malicious email activity will nicely complement a well-configured spam filter to prevent
data breaches and malware installation. Continuous testing of configuration ensures
potentially dangerous changes are discovered and remediated in a timely manner.
UpGuards free external risk grader analyzes website and email security along with
business risk to determine an organizations CSTAR score. Whats yours?
Scanning...
@UpGuard | UpGuard.com
handbook
quick checklist
1. Enable SPF
Prevent sender address forgery
2. Enable DKIM
Make your emails trustworthy
3. Enable DMARC
Utilize SPF and DKIM to the fullest
5. Disable Relaying
Prevent unauthorized use
10
@UpGuard | UpGuard.com